Ignoring mails that come to abuse@isp is plain rude. People send mail to abuse@ as last resort, because they need help, not because they want to screw up somebody's weekend. If that wouldn't affect my business, I'd go mad and block the whole ISP at the firewall level.
–
AnonymousJan 26 '10 at 17:16

3 Answers
3

If you are getting a lot of traffic from these spambots, then you are best to drop them at the firewall. Dropping at IIS means putting extra load on your web server (even if it is just serving 403 pages) and if it gets heavy then it could affect the performance for real users of your sites.

I'm not intimately familiar with Shorewall but I would also expect it is probably more efficient at this filtering than IIS will be.

Agreed with dropping them at the firewall. If the IP is hosting a spambot, there is a good chance they are being controlled in a large botnet and are compromised machines. You don't want them touching your hosts at all. Right now it is just spam but it could grow to include exploits or DDOS attacks.
–
Dave DragerJan 26 '10 at 14:22

Shorewall dropping is the best I guess. If you can get the IP addresses of these spammers you can dynamically block them with the command "shorewall drop/reject ipaddress'. You may even write a script which can do this in real time.

I agree with Sam. It's best to stop them at the perimiter of your network (at the firewall). Think of it like your office building or your home. Do you want to let the rogue into your office and hope that you've got everything inside secured and hope that you haven't forgotten or missed something or would you rather stop them at the door so that they can't get in at all?